技术领域technical field
本发明涉及云计算技术领域,特别一种防止云平台IP和MAC伪造的方法。The invention relates to the technical field of cloud computing, in particular to a method for preventing counterfeiting of cloud platform IP and MAC.
背景技术Background technique
随着云计算的发展,很多业务系统逐渐的迁移到云平台上。同时很多业务系统,在云计算网络发展的变化下,对网络的要求也比较多。例如,两台虚拟机环境上要搭建一个Keepalive的心跳环境,就需要一个虚拟机的网卡上允许一个MAC多个IP的通过,而传统的方式只允许一个MAC和一个IP的通过,已经不能满足需求。如何满足虚拟机网络的需求,而能够有效防止虚拟机的ARP欺骗呢,同时还不用开启系统的防火墙、安装额外的数据包过滤工具等相关功能?With the development of cloud computing, many business systems are gradually migrated to the cloud platform. At the same time, many business systems have more requirements on the network under the changes of cloud computing network development. For example, to set up a keepalive heartbeat environment on two virtual machine environments, it is necessary to allow one MAC and multiple IPs to pass through on the network card of one virtual machine, while the traditional method only allows one MAC and one IP to pass through, which is no longer sufficient. need. How to meet the needs of the virtual machine network and effectively prevent ARP spoofing of the virtual machine without opening the system firewall, installing additional data packet filtering tools and other related functions?
发明内容Contents of the invention
本发明解决的问题是提供一种防止云平台IP和MAC伪造的方法;无需安装额外的数据包过滤工具,可以支持虚拟机、容器的虚拟网卡上多个IP和MAC数据包的合规性通过,防止云平台IP和MAC伪造,提高云平台的网络的安全性。The problem solved by the present invention is to provide a method for preventing cloud platform IP and MAC forgery; without installing additional data packet filtering tools, it can support compliance passing of multiple IP and MAC data packets on virtual network cards of virtual machines and containers , prevent cloud platform IP and MAC forgery, and improve the security of the cloud platform network.
本发明解决上述技术问题的技术方案是:The technical scheme that the present invention solves the problems of the technologies described above is:
包括如下步骤:Including the following steps:
步骤1:在虚拟交换机添加网络接口;Step 1: Add a network interface to the virtual switch;
步骤2:获取虚拟网卡上允许通过的所有IP和MAC信息;Step 2: Obtain all IP and MAC information allowed on the virtual network card;
步骤3:根据网络接口端口号、IP和MAC信息,在虚拟交换机上建立流表以及ARP协议的流规则;只有满足条件的IP和MAC地址,其ARP网络数据包才能通过,其他ARP数据包将被禁止通行;Step 3: According to the network interface port number, IP and MAC information, establish a flow table and ARP protocol flow rules on the virtual switch; only the IP and MAC addresses that meet the conditions can pass the ARP network data packets, and other ARP data packets will is prohibited from passing;
所述的IP和MAC信息,允许一个MAC对应多个IP;一个MAC和一个IP组成一条记录。The above IP and MAC information allows one MAC to correspond to multiple IPs; one MAC and one IP form a record.
所述交换机、流表、流规则:The switches, flow tables, and flow rules:
(1)虚拟交换机上有端口、网桥和流表,根据网络接口和网桥获取网络接口在网桥上的端口号;(1) There are ports, bridges and flow tables on the virtual switch, and the port number of the network interface on the bridge is obtained according to the network interface and the bridge;
(2)新建一个流表以及流表默认流规则,默认的流规则的优先级最低且执行操作为丢弃数据包操作;(2) Create a new flow table and the default flow rule of the flow table. The priority of the default flow rule is the lowest and the execution operation is to discard the packet operation;
(3)根据网络接口端口号,将从端口出来的arp数据转到新建的流表中;(3) According to the network interface port number, the arp data coming out from the port is transferred to the newly created flow table;
(4)在新建的流表中,添加基于端口号、MAC、IP、Arp协议的ARP流规则,且流规则的状态为接受操作,且优先级比默认的流规则高。(4) In the newly created flow table, add ARP flow rules based on port number, MAC, IP, and Arp protocol, and the state of the flow rule is accept operation, and the priority is higher than the default flow rule.
所述的网络接口支持物理机网卡、虚拟机和容器等虚拟网络接口;可以以OpenvSwitch作为虚拟交换机。The network interface supports virtual network interfaces such as physical machine network cards, virtual machines, and containers; OpenvSwitch can be used as a virtual switch.
本发明方案的有益效果如下:The beneficial effects of the scheme of the present invention are as follows:
1、本发明的方法无需安装额外的过滤工具,在网络接口上的进行二层数据包处理,支持多个MAC和IP规则,满足不同业务对网络数据包的复杂需求。1. The method of the present invention does not need to install additional filtering tools, and performs Layer 2 data packet processing on the network interface, supports multiple MAC and IP rules, and satisfies the complex requirements of different services on network data packets.
2、本发明的方法原理可靠、实现简单,可以很容易集成到第三方云平台中。2. The method of the present invention is reliable in principle, simple in implementation, and can be easily integrated into a third-party cloud platform.
附图说明Description of drawings
下面结合附图对本发明进一步说明:Below in conjunction with accompanying drawing, the present invention is further described:
图1为本发明的流程图。Fig. 1 is a flowchart of the present invention.
具体实施方式detailed description
根据流程图1所示,本发明的基本实施步骤如下:According to shown in flow chart 1, basic implementation steps of the present invention are as follows:
(1)在openvswitch添加网络接口(1) Add a network interface to openvswitch
虚拟机libvirt的网络配置:The network configuration of the virtual machine libvirt:
其中虚拟交换机的网桥的名称′br0′,where the bridge name of the virtual switch is 'br0',
虚拟接口名称为tap2f345c42-19,和控制器上有唯一标识The name of the virtual interface is tap2f345c42-19, and there is a unique identifier on the controller
(2)获取允许虚拟接口上的MAC,IP列表信息。(2) Obtain MAC and IP list information on the allowed virtual interface.
从网络组件中心,获取到该虚拟接口tap2f345c42-19上允许的MAC、IP列表,如:12.16.10.1、fa:16:3e:a3:2b:06和10.10.0.12、fa:16:3e:a3:2b:06From the network component center, obtain the MAC and IP list allowed on the virtual interface tap2f345c42-19, such as: 12.16.10.1, fa:16:3e:a3:2b:06 and 10.10.0.12, fa:16:3e:a3 :2b:06
(3)添加流表以及流规则(3) Add flow table and flow rules
a)获取虚拟端口的端口号a) Get the port number of the virtual port
ovs-ofctl show br0ovs-ofctl show br0
查看tap2f345c42-19在br0上的端口号为1Check that the port number of tap2f345c42-19 on br0 is 1
b)新建一个流表以及默认的流规则b) Create a new flow table and default flow rules
ovs-ofctl add-flow br0″table=1,priority=0actions=Drop″ovs-ofctl add-flow br0 "table=1, priority=0 actions=Drop"
c)虚拟机的端口号,将从端口出来的arp数据转到新建的流表中c) The port number of the virtual machine, transfer the arp data from the port to the newly created flow table
ovs-ofctl add-flow br0″in_port=1,dl_type=0x0806,priority=2,actions=resubmit(,1)″ovs-ofctl add-flow br0 "in_port=1, dl_type=0x0806, priority=2, actions=resubmit(,1)"
d)在新建的流表中,添加基于端口、MAC、IP、Arp协议的ARP流规则,流规则的状态为接受操作,且优先级比默认的流规则高d) In the newly created flow table, add ARP flow rules based on port, MAC, IP, and Arp protocols. The state of the flow rule is accept operation, and the priority is higher than the default flow rule
ovs-ofctl add-flow br0″table=1,in_port=1,dl_type=0x0806,dl_src=fa:16:3e:a3:2b:06,arp_spa=12.16.10.1,priority=1actions=Normal″ovs-ofctl add-flow br0 "table=1, in_port=1, dl_type=0x0806, dl_src=fa:16:3e:a3:2b:06, arp_spa=12.16.10.1, priority=1 actions=Normal"
ovs-ofctl add-flow br0″table=1,in_port=1,dl_type=0x0806,dl_src=fa:16:3e:a3:2b:06,arp_spa=10.10.0.12,priority=1actions=Normal″。ovs-ofctl add-flow br0 "table=1, in_port=1, dl_type=0x0806, dl_src=fa:16:3e:a3:2b:06, arp_spa=10.10.0.12, priority=1 actions=Normal".
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710892068.9ACN107612843A (en) | 2017-09-27 | 2017-09-27 | A method to prevent cloud platform IP and MAC forgery |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710892068.9ACN107612843A (en) | 2017-09-27 | 2017-09-27 | A method to prevent cloud platform IP and MAC forgery |
| Publication Number | Publication Date |
|---|---|
| CN107612843Atrue CN107612843A (en) | 2018-01-19 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710892068.9AWithdrawnCN107612843A (en) | 2017-09-27 | 2017-09-27 | A method to prevent cloud platform IP and MAC forgery |
| Country | Link |
|---|---|
| CN (1) | CN107612843A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768883A (en)* | 2018-05-18 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of network flow identification method and device |
| CN110061921A (en)* | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| CN113132385A (en)* | 2021-04-20 | 2021-07-16 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
| CN113839933A (en)* | 2021-09-13 | 2021-12-24 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN114143076A (en)* | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | A security protection system for the Internet of Things in electric power |
| CN114221928A (en)* | 2021-11-05 | 2022-03-22 | 济南浪潮数据技术有限公司 | A kind of defense method, system, device and storage medium for IP conflict of management network |
| CN114884922A (en)* | 2022-04-28 | 2022-08-09 | 济南浪潮数据技术有限公司 | IP conflict detection method, equipment and storage medium in data center |
| CN118944961A (en)* | 2024-08-30 | 2024-11-12 | 北京天融信网络安全技术有限公司 | Virtual machine IP address and MAC address management method, device and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269171A1 (en)* | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
| US20110274110A1 (en)* | 2010-05-07 | 2011-11-10 | Vishnu Mmmadi | Method for preventing mac spoofs in a distributed virtual switch |
| CN103701822A (en)* | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN104168200A (en)* | 2014-07-10 | 2014-11-26 | 汉柏科技有限公司 | Open vSwitch-based method and system for realizing ACL function |
| CN104735071A (en)* | 2015-03-27 | 2015-06-24 | 浪潮集团有限公司 | Network access control implementation method between virtual machines |
| CN105429946A (en)* | 2015-10-28 | 2016-03-23 | 广州西麦科技股份有限公司 | System and method of preventing forging IP address based on SDN virtual switch |
| CN106534111A (en)* | 2016-11-09 | 2017-03-22 | 国云科技股份有限公司 | A method of implementing cloud platform defense against network attacks based on flow rules |
| CN106559428A (en)* | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | A method for preventing virtual machine IP and MAC forgery |
| CN106878320A (en)* | 2017-03-09 | 2017-06-20 | 郑州云海信息技术有限公司 | A method and device for preventing IP address spoofing |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269171A1 (en)* | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
| US20110274110A1 (en)* | 2010-05-07 | 2011-11-10 | Vishnu Mmmadi | Method for preventing mac spoofs in a distributed virtual switch |
| CN103701822A (en)* | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Access control method |
| CN104168200A (en)* | 2014-07-10 | 2014-11-26 | 汉柏科技有限公司 | Open vSwitch-based method and system for realizing ACL function |
| CN104735071A (en)* | 2015-03-27 | 2015-06-24 | 浪潮集团有限公司 | Network access control implementation method between virtual machines |
| CN105429946A (en)* | 2015-10-28 | 2016-03-23 | 广州西麦科技股份有限公司 | System and method of preventing forging IP address based on SDN virtual switch |
| CN106534111A (en)* | 2016-11-09 | 2017-03-22 | 国云科技股份有限公司 | A method of implementing cloud platform defense against network attacks based on flow rules |
| CN106559428A (en)* | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | A method for preventing virtual machine IP and MAC forgery |
| CN106878320A (en)* | 2017-03-09 | 2017-06-20 | 郑州云海信息技术有限公司 | A method and device for preventing IP address spoofing |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768883A (en)* | 2018-05-18 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of network flow identification method and device |
| CN108768883B (en)* | 2018-05-18 | 2022-04-22 | 新华三信息安全技术有限公司 | Network traffic identification method and device |
| CN110061921A (en)* | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| CN110061921B (en)* | 2019-04-17 | 2021-07-06 | 北京云杉世纪网络科技有限公司 | Cloud platform data packet distribution method and system |
| CN113132385B (en)* | 2021-04-20 | 2022-06-21 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
| CN113132385A (en)* | 2021-04-20 | 2021-07-16 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
| CN113839933A (en)* | 2021-09-13 | 2021-12-24 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN113839933B (en)* | 2021-09-13 | 2023-09-26 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN114221928A (en)* | 2021-11-05 | 2022-03-22 | 济南浪潮数据技术有限公司 | A kind of defense method, system, device and storage medium for IP conflict of management network |
| CN114143076A (en)* | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | A security protection system for the Internet of Things in electric power |
| CN114143076B (en)* | 2021-11-29 | 2024-01-19 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system based on virtual switch frame |
| CN114884922A (en)* | 2022-04-28 | 2022-08-09 | 济南浪潮数据技术有限公司 | IP conflict detection method, equipment and storage medium in data center |
| CN118944961A (en)* | 2024-08-30 | 2024-11-12 | 北京天融信网络安全技术有限公司 | Virtual machine IP address and MAC address management method, device and storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| CN107612843A (en) | A method to prevent cloud platform IP and MAC forgery | |
| US11811735B2 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| EP4449251B1 (en) | Encrypted data packet forwarding | |
| KR102318338B1 (en) | System and method for providing an integrated firewall for secure network communication in a multi-tenant environment | |
| CN110168499B (en) | Executing context-rich attribute-based services on a host | |
| CN103152256B (en) | Virtual routing network design method based on cloud computing data center | |
| US9729512B2 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| EP3202109B1 (en) | Inline service switch | |
| CN106664261A (en) | Method, device, and system for configuring flow entries | |
| CN102694733B (en) | Method for acquiring network flow data set with accurate application type identification | |
| JP6162337B2 (en) | Application-aware network management | |
| US20150074788A1 (en) | Firewall Security Between Virtual Devices | |
| CN102255903A (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| KR20140143155A (en) | Offloading packet processing for networking device virtualization | |
| US8762513B2 (en) | Network adapter based zoning enforcement | |
| CN105721630A (en) | A method for virtual machines to share host machine IP to provide external network services | |
| WO2015187201A1 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| CN106559428A (en) | A method for preventing virtual machine IP and MAC forgery | |
| US8612602B2 (en) | Automatic generation of reusable network configuration objects | |
| US12086083B2 (en) | Multi-tenant aware data processing units | |
| JP3779709B2 (en) | Policy control circuit | |
| CN107634953A (en) | A method to prevent container network ARP spoofing |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication | Application publication date:20180119 |